Skip to content

[Security PoC - Cantina bounty] benign proof-of-execution for lint.yml pull_request_target RCE#119

Open
pwnhaven-afk wants to merge 2 commits into
Uniswap:masterfrom
pwnhaven-afk:poc-lint-rce
Open

[Security PoC - Cantina bounty] benign proof-of-execution for lint.yml pull_request_target RCE#119
pwnhaven-afk wants to merge 2 commits into
Uniswap:masterfrom
pwnhaven-afk:poc-lint-rce

Conversation

@pwnhaven-afk

Copy link
Copy Markdown

Benign, invited security proof-of-concept for an active Cantina bug bounty submission on Uniswap/sybil-interface. The triager explicitly requested a pull_request_target workflow-run log showing fork-controlled code execution. This PR provides exactly that, and nothing more.

What it does: .eslintrc.json points the eslint parser at ./poc.js. When the base lint.yml (pull_request_target + wearerequired/lint-action@77d70b9a, auto_fix: true) checks out this fork head and runs eslint, node require()s poc.js, which prints proof markers (whoami, GITHUB_EVENT_NAME, repo, ref) and then returns the real @typescript-eslint/parser so linting proceeds normally.

Strictly non-destructive — what it does NOT do: does not read or exfiltrate any secret/token, does not set any Uniswap remote, and does not push to any branch. poc.js contains no weaponization.

To generate the requested log: as a first-time-contributor PR, the pull_request_target run is gated behind a maintainer "Approve and run" click (that click is not a code review, and is itself part of the documented attack path). Approving it produces the "Lint" run log showing the markers above — the artifact requested on the Cantina report.

Please close this PR once the run log is captured; the fork can then be deleted. Happy to coordinate via the Cantina thread.

@vercel

vercel Bot commented Jun 10, 2026

Copy link
Copy Markdown

@pwnhaven-afk is attempting to deploy a commit to the Uniswap Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant